CVE-2020-36240

CWE-200Information Exposure3 documents3 sources
Severity
5.3MEDIUM
EPSS
0.2%
top 54.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Atlassian Crowd
Timeline
PublishedMar 1
Latest updateMay 24

Description

The ResourceDownloadRewriteRule class in Crowd before version 4.0.4, and from version 4.1.0 before 4.1.2 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

CVEListV5atlassian/crowdunspecified4.0.4+2
NVDatlassian/crowd4.1.04.1.2+1

🔴Vulnerability Details

2
GHSA
GHSA-23rx-x963-qprq: The ResourceDownloadRewriteRule class in Crowd before version 42022-05-24
CVEList
CVE-2020-36240: The ResourceDownloadRewriteRule class in Crowd before version 42021-03-01
CVE-2020-36240 (MEDIUM CVSS 5.3) | The ResourceDownloadRewriteRule cla | cvebase.io